Arrests made after eBay's Stubhub suffers cyber-thefts

Tickets for Justin Timberlake concerts were said to be among those involved in the crime

The US has charged six men in connection with a scam that defrauded eBay's Stubhub of about $1m (£587,000).

The charges came after more than 1,600 accounts belonging to the online ticket resale service were broken into and used to make purchases without the owners' permissions.

The attack involved a "global cybercrime ring", according to New York County's district attorney office.

Three other men have been arrested in London in connection with the thefts.

It is the second breach to have been disclosed by eBay this year.

However, in this latest case the firm said its servers had not been hacked.

"The arrests today relate to fraudulent transactions that were detected on existing Stubhub customer accounts in 2013," said spokesman Glenn Lehrman.

"These legitimate customer accounts were accessed by cybercriminals who had obtained the customers' login and password either through data breaches of other websites and retailers, or through the use of key-loggers and/or other malware on the customer's own PC.

"Once fraudulent transactions were detected on a given account, customers were immediately contacted by Stubhub's trust and safety team, who refunded any unauthorised transactions."

City of London Police commissioner Adrian Leppard added: "This is an important investigation, targeting cybercriminals who are believed to have defrauded Stubhub out of $1m, by hacking its United States' customers' accounts to fraudulently purchase and sell tickets, and then laundered their criminal profits through legitimate UK bank accounts."

The Royal Canadian Mounted Police, the US Secret Service and the New York City Police Department (NYPD) were also involved in the investigation.

International arrests

Three of the men charged by the US are from Russia, while the others are Americans.

The two Russians are alleged to have used information taken from San Francisco-based Stubhub's accounts as well as credit card details stolen from additional victims to purchase more than 3,500 e-tickets from the site.

Stubhub has been in operation 14 years as an authorised ticket reselling service

These included tickets for concerts featuring Justin Timberlake, Elton John and Jay-Z, as well as Broadway shows and sports events.

They are accused of then passing the tickets to three men from New York and New Jersey.

It is alleged that they carried out instructions to funnel the proceeds to PayPal accounts controlled by Polyakov and other associates as well as to multiple bank accounts in the UK and Germany.

One of these accounts is said to have belonged to Sergei Kirin, a 37-year-old Russian, who is charged with laundering the cash.

In addition, Manhattan district attorney Cyrus Vance Jr said that further sums were sent to other unnamed money launderers in the UK and Germany.

"Cybercriminals know no boundaries - they do not respect international borders or laws," he said.

Tickets to Broadway's Book of Mormon were also reportedly used as part of the scam

Polyakov was arrested while visiting Spain on 3 July when he was picked up outside a Barcelona hotel by local authorities who were working with US Secret Service agents.

The Secret Service is responsible for investigating computer and telecommunications fraud as well as money laundering.

In addition, the NYPD has searched the homes of the three Americans to find additional evidence of their involvement in the scheme.

The City of London police force said it had also arrested a 27-year-old, a 39-year-old and a 46-year-old in connection with the crimes.

The Canadian police added they had arrested an additional suspected money launderer in Toronto.

Second attack

The arrests follow a separate attack reported by eBay in May.

Law enforcers in the US, UK, Spain and Canada were involved in the arrests

The firm made users change their passwords to its main online marketplace after hackers accessed a database containing names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.

It said at the time that it had no evidence of that attack resulting in unauthorised activity on its members' accounts.

One expert said the breaches should act as a wake-up call to the online business community as a whole.

"We have long warned that personal data nabbed in one heist can be used to launch other, socially-engineered cyberattacks," said Paul Ayers from the data security firm Vormetric.

"Today we finally have confirmation of such an eventuality.

"Encryption of all data, regardless of where it resides, is a must - ensuring that no matter whose hands it falls into, it remains illegible and essentially useless."